How-to: Remove Ransom-ware with Kaspersky Rescue Disk

Following our last security How-to, Identify the Troj/Urausy Ransom-ware infection, this describes using an anti-virus removal tool from Kaspersky to deal with the malware from my esteemed colleague’s laptop.

To create a bootable Kaspersky Rescue Disk, you will need a clean, non-infected, computer with Internet access and a DVD or CD burner, OR, if the infected machine lacks an optical drive, a USB flash drive you can wipe and install Kaspersky Rescue Disk onto.

You will also need to be able to call up a one-time boot menu (usually the f12 key at power-on) and make sure you can change the boot order in the infected machine’s BIOS so that you can boot into the Kaspersky Rescue Disk in place of your Windows install.

Download Kaspersky Rescue disk and burn it to a blank CD or DVD. I won’t go into this; sufficient to say most Windows machines have software to burn disks onto optical media. You could also install the software onto a USB flash drive

Boot into your Kaspersky Rescue Disk to Remove malwareTo restart the infected computer, place your rescue disk into your disk drive, hold down the power button for ten seconds to power down your computer.Only insert the USB flash drive containing Kaspersky Rescue Disk when the machine is completely off – otherwise the infection may be spread to the USB drive!When your computer is completely shut down press the power button to turn it back on. You may need to hit f12 to invoke a one-time boot menu. Select the CD or USB drive to boot into Kaspersky Rescue Disk over your infected hard drive.The CD will invoke an on-screen message like “press any key to boot from CD/DVD. Press anything and your computer will continue to boot from the rescue disk.The Kaspersky Rescue Disk will begin booting.This is actually based on a slimmed-down Linux Live CD, with a KDE desktop (not that you need to know that); it’s a self-contained boot envirnment that is NOT Microsoft Windows and can’t be cross-infected by the Troj/Urausy Ransomware.Select a language and select Kaspersky Rescue Disk Graphic Mode, then hit ENTER. This will start your rescue disk, booting into the graphics desktop.

NOTE: since I bypassed Windows and mounted the hard drive with the Kaspersky Live CD, I took the opportunity to take a full, up-to-date backup of the owner’s data. Don’t assume this is going to work 100% on all variants of the virus; prepare for the worst and assume you’ll do a factory re-set of the machine, which means wiping Windows and all the data on the disk.

From the Kaspersky Rescue Disk main screen, select Scan to start the utility.If you can persuade the infected machine to connect to the internet – use the Internet connection icon from the bottom-right system tray – you should select My Update Center tab to ensure you have the latest set of virus definitions available for which can KRD scan.Select Start update, this will update the program for any new definitions for anti-viruses or for any new information that the program may be able to use. This may take some time to finish.When the update is complete, go to the Objects Scan tab and choose which drives you want the program to scan; select Start Objects Scan.The objects scan can take anything from a few minutes to a few hours – on the 120GB laptop drive with Windows 7, it took four hours to complete.Kaspersky will alert you that it has found a virus or Trojan on your computer. Select Delete or Quarantine to delete or isolate the virus from your machine.The utility has further options for Quarantine, Reporting and Settings.

The first time I ran it on the laptop, it found eleven threats including six types of malware. A couple of alerts were false positives for legitimate software or plugins and I restored those from the Quarantine tab.

On the whole, Kaspersky does a through job of finding and deleting malware.

Once the the virus removal is complete you need to reboot your machine, removing the rescue disk CD or flash drive (otherwise you reboot straight back into Kaspersky Rescue Disk). In the bottom left of the screen where the Windows Start button normally sits is the Kaspersky Start button – click that and select Restart. Your machine will now start up into your normal Windows operating system.

Using Kasperksy, I managed to zap the malware without resorting to a factory reset.

Many IT security experts will recommend using a combination of tools including Malware Bytes and HitmanPro to perform the belt-and-braces (lovely Northern phrase, that) security sweep in order to get maximum coverage. One tool might miss a virus, two less likely, three less likely still. AJS